在同一主机上使用Java中的多个SSL客户端证书 [英] Using multiple SSL client certificates in Java with the same host

问题描述

在我的Java应用程序中，我需要使用SSL连接到同一主机，但每次使用不同的证书。我需要使用不同的证书的原因是，远程站点使用嵌入在证书中的用户ID属性来标识客户端。

In my Java application, I need to connect to the same host using SSL, but using a different certificate each time. The reason I need to use different certificates is that the remote site uses a user ID property embedded in the certificate to identify the client.

这是一个运行的服务器应用程序3个不同的操作系统，我需要能够在不重新启动过程的情况下切换证书。

This is a server application that runs on 3 different operating systems, and I need to be able to switch certificates without restarting the process.

另一个用户建议将多个证书导入到同一密钥库中。我不知道这有助于我，除非有一种方法告诉Java在密钥库中使用哪个证书。

Another user suggested importing multiple certificates into the same keystore. I'm not sure that helps me, though, unless there is a way to tell Java which certificate in the keystore to use.

推荐答案

p> SSL可以向客户端提供有关要显示哪个证书的提示。此可能允许您使用其中有多个身份的一个密钥库，但不幸的是，大多数服务器不使用此提示功能。因此，如果您为每个连接指定要使用的客户端证书，它将更加强大。

SSL can provide hints to the client about which certificate to present. This might allow you to use one key store with multiple identities in it, but, unfortunately, most servers don't use this hinting feature. So, it will be more robust if you specify the client certificate to use on for each connection.

以下是设置一个 SSLContext的示例代码与指定的身份和信任存储。您可以重复这些步骤来创建多个上下文，一个用于要使用的每个客户端证书。每个 SSLContext 可能使用相同的信任存储，但不同的身份存储（包含在该上下文中使用的单个客户端密钥条目）。

Here is sample code to set up one SSLContext with specified identity and trust stores. You can repeat these steps to create multiple contexts, one for each client certificate you want to use. Each SSLContext would probably use the same trust store, but a different identity store (containing the single client key entry to be used in that context).

初始化您将需要一次的上下文，并为每个连接重复使用正确的上下文。如果您正在进行多个连接，这将允许您利用SSL会话。

Initialize the contexts that you will need one time, and reuse the the correct one for each connection. If you are making multiple connections, this will allow you to take advantage of SSL sessions.

KeyManagerFactory kmf = 
  KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(identityStore, password);
TrustManagerFactory tmf =
  TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(trustStore);
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);

稍后，您可以直接创建套接字：

Later, you can create a socket directly:

SSLSocketFactory factory = ctx.getSocketFactory();
Socket socket = factory.createSocket(host, port);

或者，如果您使用 URL 类，可以指定在发出HTTPS请求时使用的 SSLSocketFactory ：

Or, if you are using the URL class, you can specify the SSLSocketFactory to use when making HTTPS requests:

HttpsURLConnection con = (HttpsURLConnection) url.openConnection();
con.setSSLSocketFactory(ctx.getSocketFactory());

Java 6有一些额外的API，可以根据您对密码套件的偏好更容易配置套接字，等等。

Java 6 has some additional API that makes it easier to configure sockets according to your preferences for cipher suites, etc.

这篇关于在同一主机上使用Java中的多个SSL客户端证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！